Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume X - Issue #5

January 18, 2008

SANS FLASH CIA Confirms Cyber Attack Caused Multi-City Power Outage On Wednesday, in New Orleans, US Central Intelligence Agency senior analyst Tom Donahue told a gathering of 300 US, UK, Swedish, and Dutch government officials and engineers and security managers from electric, water, oil & gas and other critical industry asset owners from all across North America, that "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."

According to Mr. Donahue, the CIA actively and thoroughly considered the benefits and risks of making this information public, and came down on the side of disclosure.

Delegates at the meeting shared information on how attackers are eluding current defenses and on promising practices for mitigating the most critical vulnerabilities. They also shared a jointly developed "SCADA and Control Systems Survival Kit." Next week an electronic version of the Survival Kit will be available (free) to all SANS alumni. Email scada@sans.org. Alan

PS. If you have expertise in secure coding in .NET languages, and want to help review and shape the new "Essential Skills" document and/or the assessment and certification examinations for .NET programmers, please email spa@sans.org with your relevant credentials.

Security Test Production Web Applications! Continuously testing your production web applications - without corrupting your applications or their data - is NOW possible. With over 400 new application vulnerabilities every month it is imperative to test and re-test all Web applications, and not just the ones in development and quality assurance stages. Learn how.

TOP OF THE NEWS

The federal government has appealed a decision by a judge in Vermont that has prevented a man from divulging the password necessary to decrypt his computer. Magistrate Judge Jerome J. Niedermeier said that to force an individual to enter the password into his computer is a violation of the Fifth Amendment, which grants protection from self-incrimination. The case involves a Canadian citizen with legal residency in the US whose computer was found to contain child pornography. The computer was seized, but the government has been unable to access data in drive Z because it is protected by PGP encryption. (please note this site requires free registration) -http://www.washingtonpost.com/wp-dyn/content/article/2008/01/15/AR2008011503663_pf.html-http://www.heise-security.co.uk/news/101935[Editor's Note (Pescatore): In the US (and I think at least also Canada) there is certainly legal precedent for law enforcement using court orders to require a suspect to open a locked desk drawer, locker or safe. So, it is hard to see how in the long run this same thinking wouldn't extend to decrypting data - entering a password is pretty equivalent to entering a combination. But in the short run technology always moves faster than laws and regulations. (Schultz): The judge's ruling makes considerable sense given that the US Bill of Rights guarantees that a person does not have to testify against himself. Requiring an accused person to surrender a password, encryption key, or some other object that allows investigators to access evidence against that person is in reality equivalent to forcing someone to provide self-incriminating testimony. ]

CMS to Begin HIPAA Compliance Reviews (January 17, 2008)

The Centers for Medicare and Medicaid Services (CMS) will begin reviewing hospitals around the US to ensure that their practices are in compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Between 10 and 20 hospitals will be examined within the next nine months. CMS plans to publish the results of their reviews. While CMS will not divulge the names of the facilities they are reviewing, they plan to start with larger institutions as well as those that have been the object of complaints. The CMS Office of E-Health Standards and Services will post checklists of security practices mandated by HIPAA. -http://www.govhealthit.com/online/news/350176-1.html?type=pf[Editor's Note (Schultz): This is a potentially very significant development. Until the CMS made this announcement, the HIPAA compliance arena had been relatively dormant. The reviews will now force hospitals to expend more time and resources to ensure that they are HIPAA compliant. (Kreitner): I hope these reviews focus on significant security issues and urge healthcare providers to stop wasting time on silly things like refusing to send a routine lab report to your home fax because they don't have a signed release from you authorizing your spouse (who might happen to walk by the fax machine) to see it, even when you give them your birth date, city of birth, mother's maiden name, and tell them it's OK for your spouse to see it. ]

Most Oracle DBAs are Not Applying Security Updates (January 14, 2008)

According to a survey from Sentrigo, Inc., two-thirds of Oracle database administrators (DBAs) do not apply Oracle's patches. Of the 305 DBAs surveyed, 206 said they had never applied critical patch updates (CPUs) from Oracle. Only 31 of the respondents, just over 10 percent, said they had installed the most recent Oracle CPU. Sentrigo said the two main reasons for the low rate of patch installation are concern about how the fixes will affect the database's performance and the fact that each CPU requires that the previous CPU has been installed, so missing one installation can have a snowball effect. Readers responding to the initial story offered additional reasons why the CPUs were not being applied -- "DBAs don't have the leverage they need for best security practices to be followed;" organizations are running versions of Oracle products that are no longer supported -- but no one disputed the fact that they are not widely applied. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9057226&pageNumber=1-http://blogs.computerworld.com/dbas_not_to_blame_for_oracle_patch_application_failures-http://www.informationweek.com/shared/printableArticle.jhtml?articleID=205603104[Editor's Note (Ranum): It's important to remember that constantly patching one's software because of security flaws flies in the face of good administrative practice for production systems. Namely: make it work, and as long as it's working - don't mess with it. I don't think there's a great deal of vocal push-back on this topic, but one can make a good case that security is a major quality control problem for production systems. Current practices surrounding vulnerability disclosure place administrators in a lose/lose situation while simultaneously claiming it's for their own good. (Liston): Software vendors live under the mistaken assumption that their customers actually trust them. Mission critical systems will never have patches applied without rigorous in-house testing, and even then, only when the perceived danger represented by the unpatched flaw far exceeds the "if it ain't broke don't fix it" mindset of the average DBA. While the "security" part of my brain cringes at the results of this survey, the part of me that has spent hours trying to roll back a patch that hosed a system understands and sympathizes with the DBA's dilemma. ]

| 1) SANS-LogLogic Third Annual Log Management Survey What are the challenges in log management? Have perceptions changed since last year? Help us find out! Take the survey at http://www.sans.org/info/22584

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Man Pleads Guilty in Logic Bomb Case (January 10, 2008)

Jeffrey Howard Gibson has pleaded guilty to one count of intentional damage to a protected computer system for planting a logic bomb on the St. Cloud (Minnesota) Hospital computer system. The hospital had hired Gibson to develop a computer-based training program for its employees; he apparently placed the malicious code on the system during the time he was employed by the hospital. It activated several months after his departure, disabling the program he had created. Gibson faces up to 10 years in prison and a fine of up to US $250,000. -http://minneapolis.fbi.gov/dojpressrel/pressrel08/logicbomb011008.htm[Editor's Note (Northcutt): If anyone reading this is even *considering* writing a logic bomb, don't do it. You will get caught, you will do time in jail, and you will suffer. ]

Suspect Charged in Tennessee Computer Theft (January 2008)

A suspect in the theft of computers from the Davidson County (Tennessee) Election Commission has turned himself in at police headquarters. Robert Osborne has been charged with breaking into Commission offices; he allegedly stole computers that contain voter data, including Social Security numbers (SSNs). The stolen laptops were not encrypted. Police have not yet recovered the computers. -http://www.newschannel5.com/Global/story.asp?S=7735032

COPYRIGHT, PIRACY & DIGITAL RIGHTS MANAGEMENT

On December 18, 2007, the Australian Federal Police raided an Internet cafe in Sydney for allegedly providing its customers with inexpensive access to pirated music and movies. The raided cafe reopened a day later. Other Internet cafes in the Sydney central business district have removed similar content from their servers in the wake of the raid. The cafes had been using the lure of inexpensive music and movies to attract customers. -http://www.smh.com.au/news/technology/internet-cafes-clean-out-after-raid/2008/01/17/1200419959751.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

A rash of reports of debit card fraud are likely linked to a recent data security breach at an unnamed major retailer. What differentiates these instances of fraud from others is that the thieves are swiping cards in brick-and-mortar establishments to purchase merchandise instead of using them to make withdrawals from ATMs. The problems started in late December and have continued into this month. People have been reporting that their banks have called them to verify suspicious card activity and some have had their cards reissued by their banks. -http://consumerist.com/345016/major-retailers-data-breach-results-in-wave-of-credit-card-fraud

Carphone Warehouse Violated Data Protection Act (January 17, 2008)

The UK Information Commissioner's Office (ICO) has given Carphone Warehouse and TalkTalk five weeks to tighten up their data security. The ICO says the companies have violated the Data Protection Act by providing debt collection agencies with inaccurate customer names and other information. The ICO has been receiving complaints for a year about Carphone Warehouse exposing customer data online. In some cases, customer data were incorrectly associated with account information and customers were unable to obtain loans. Some customers were incorrectly linked on their accounts so that they could view others' personal information. The companies were also reportedly unresponsive to customer requests for information about themselves. If the companies do not address the data security problems, they could face hefty fines. -http://www.zdnet.co.uk/misc/print/0,1000000169,39292224-39001093c,00.htm-http://www.pcadvisor.co.uk/news/index.cfm?newsid=11859

Lost Memory Sticks Hold NHS Patient Data (January 11, 2008)

The Oldham NHS Primary Care Trust has acknowledged that two memory sticks containing sensitive patient information are missing. The loss affects NHS 148 patients. An internal investigation is underway and affected patients are being notified about the incident. The trust has recalled all data sticks and is in the process of evaluating policies and procedures. This is just one of the latest acknowledged data breaches affecting UK agencies. -http://www.manchestereveningnews.co.uk/news/s/1031694_personal_info_lost_in_oldham[Editor's Note (Pescatore): This is one of those wildly under-reported problems: since most employees use random memory sticks they pick up at conferences and the like, if they lose them they just grab another and never report it as lost. Same thing when they lose personally owned cellphones and PDAs (which increasingly may have business and customer data on them) - since they aren't company-owned assets they don't report the loss. Since so many enterprises are buying laptop encryption software, as part of those procurements and rollouts look for products that can force data to be encrypted if written to a peripheral device, and/or buy encrypting memory sticks and issue them to employees along with policy and responsibility guidance. ]

MISCELLANEOUS

MySpace and State AGs Form Task Force to Protect Minors (January 15, 2008)

MySpace has reached an agreement with the attorneys general of 49 US states and the District of Columbia to employ stronger protections for minors from predators. MySpace will also spearhead an effort to develop technology to verify Internet users' ages and identities. According to the agreement, adults' profiles will be separate from children's. MySpace and the AGs will work together to protect minors from harmful content and online activity, such as pornography, harassment, cyberbullying, and identity fraud. The Multi-State Working Group on Social Networking hopes to bring other social networking sites, particularly Facebook, on board. (please note this site requires free registration) -http://www.nytimes.com/2008/01/15/us/15myspace.html?_r=1&oref=slogin&ref=us&pagewanted=print-http://www.news.com/8301-13577_3-9849909-36.html?tag=nefd.lede

In this webcast, learn the benefits of going beyond log management to perform end-to-end correlation and analysis, how compliance can tie into the use of security technologies, and why the future of security information management (SIM) systems is shaping up to integrate security, risk and audit management onto one platform.

Embedded devices come into your network and appear in many different forms, including printers, iPhones, wireless routers and network-based cameras. What you might not realize is that these devices offer unique opportunities for attackers to do damage and gain access to your network - and to the information it contains. This webcast will review known embedded device vulnerabilities and cover how these vulnerabilities can be used to gain control of devices, networks, and data - and, more importantly, what can be done about it.

SANS analyst Barbara Filkins uncovers the findings in the SANS Database Auditing and Compliance Survey. Conducted over three months, 348 respondents answered a variety of questions ranging from their perceptions of compliance issues to security frameworks and roles and responsibilities for data privacy protection inside their organizations.

We will also be announcing the $250 American Express card winner from among nearly 200 respondents who signed up for our drawing.

A need for increased visibility into its diverse network prompted GraceKennedy's security team to seek an intrusion detection system. They found a solution that met all their needs and offered great tech support, as well as a component that could establish a network activity baseline and another that included a top vulnerability scanner for the same price as other solutions they tried. GraceKennedy is one of the Caribbean's largest and most dynamic corporate entities. The company started in Jamaica in 1922 as a small trading establishment and wharf founder. It has expanded and diversified over the years, changing from a privately-owned enterprise to a public company listed on the stock exchanges of Jamaica, Trinidad, Barbados and the Eastern Caribbean. Today, the GraceKennedy Group comprises a varied network of some 60 subsidiaries and associated companies located across the Caribbean, in North and Central America and the United Kingdom. The group's operations span the food distribution, financial services, insurance, remittance, hardware retailing and food-processing industries.=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/